How to check for rootkits on Linux with Tiger

Concerned that you may have a rootkit on your Linux server, desktop or laptop? If you want to check whether or not rootkits are present on your system, and get rid of them, you’ll need to scan you system first. One of the best tools to scan for rootkits on Linux is Tiger. When run, it does a complete security report of your Linux system that outlines where the problems are (including rootkits).

In this guide, we’ll go over how to install the Tiger security tool and scan for dangerous Rootkits.

Install Tiger

Tiger doesn’t come with any Linux distributions out of the box, so before going over how to use the Tiger security tool on Linux, we will need to go over how to install it. You will need Ubuntu, Debian, or Arch Linux to install Tiger without compiling the source code.

Ubuntu

Tiger has long been in the Ubuntu software sources. To install it, open up a terminal window and run the following apt command.

sudo apt install tiger

Debian

Debian has Tiger, and it is installable with the Apt-get install command.

sudo apt-get install tiger

Arch Linux

The Tiger security software is on Arch Linux via the AUR. Follow the steps below to install the software on your system.

Step 3: Move the terminal session from its default directory (home) to the new tiger folder that holds the pkgbuild file.

cd tiger

Step 4: Generate an Arch installer for Tiger. Building a package is done with the makepkg command, but beware: sometimes package generation doesn’t work due to dependency problems. If this happens to you, check the official Tiger AUR page for the dependencies. Be sure also to read the comments, as other users may have insights.

makepkg -sri

Fedora and OpenSUSE

Sadly, both Fedora, OpenSUSE and other RPM/RedHat-based Linux distributions do not have an easy to install binary package to install Tiger with. To use it, consider converting the DEB package with alien. Or follow the source code instructions below.

Generic Linux

To build the Tiger app from source, you’ll need to clone the code. Open up a terminal and do the following:

git clone https://git.savannah.nongnu.org/git/tiger.git

Install the program by running the included shell script.

sudo ./install.sh

Alternatively, if you’d like to run it (rather than install it) do the following:

sudo ./tiger

Check for rootkits on Linux

Tiger is an automatic application. It doesn’t have any unique options or switches that users can use in the command-line. The user can’t just “run the rootkit” option to check for one. Instead, the user must use Tiger and run a full scan.

Each time the program runs, it does a scan of many different types of security threats on the system. You’ll be able to see everything it’s scanning. Some of the things that Tiger scans are:

Linux password files.

.rhost files.

.netrc files.

ttytab, securetty, and login configuration files.

Group files.

Bash path settings.

Rootkit checks.

Cron startup entries.

“Break-in” detection.

SSH configuration files.

Listening processes.

FTP configuration files.

To run a Tiger security scan on Linux, gain a root shell using the su or sudo -s command.

su -

or

sudo -s

Using root privileges, execute the tiger command to start the security audit.

tiger

Let the tiger command run and go through the audit process. It will print out what it’s scanning, and how it is interacting with your Linux system. Let the Tiger audit process run its course; it’ll print out the location of the security report in the terminal.

View Tiger Logs

To determine if you have a rootkit on your Linux system, you must view the security report.

To look at any Tiger security report, open up a terminal and use the CD command to move into /var/log/tiger.

Note: Linux will not let non-root users in /var/log. You must use su.

su -

or

sudo -s

Then, access the log folder with:

cd /var/log/tiger

In the Tiger log directory, run the ls command. Using this command prints out all the files in the directory.

ls

Take your mouse and highlight the security report file that ls reveals in the terminal. Then, view it with the cat command.

cat security.report.xxx.xxx-xx:xx

Look over the report and determine if Tiger has detected a rootkit on your system.

Removing rootkits on Linux

Removing Rootkits from Linux systems — even with the best tools, is hard and not successful 100% of the time. While it is true there are programs out there that may help get rid of these kinds of issues; they don’t always work.

Like it or not, if Tiger has determined a dangerous worm on your Linux PC, it’s best to back up your critical files, create a new live USB, and re-install the operating system altogether.